There’s an asterisk on Nitro Zeus

NITRO ZEUS — The United States developed a plan code-named Nitro Zeus to damage Iranian infrastructure with a cyberattack if nuclear program negotiations failed to halt its weapons effort, a documentary film debuting today reveals. The New York Times and BuzzFeed on Tuesday delved into the blockbuster news from the flick, “Zero Days.”

Story Continued Below

But as the Times notes only in passing, it’s unclear whether the plan would’ve worked. Martin Libicki, an expert on cyberwar at the RAND Corporation, told MC the lack of certainty is no small matter. “Give me a 200-pound bomb, I can say with some confidence what it’s going to do,” he said. “On a cyberattack, small details can radically change what a particular attack plan is going to do.” It’s also unclear how quickly Iran might have recovered. A recent cyberattack on the Ukrainian electric grid only turned off the power for five hours, an annoyance rather than a crippling blow. By contrast, Libicki credits the earlier Stuxnet attack on Iran’s nuclear program with setting back development by a year or two, enough perhaps to have driven Tehran to the negotiating table.

The “meta-text” of the story is just as interesting, Libicki noted: “Why is this in the news? Who was talking? Are we trying to convey a message?” His best guess is that someone wanted to brag about how sophisticated the government has become on cyber, and reasoned that there was little potential blowback. Stuxnet is regularly cited by critics who say Washington’s professed opposition to cyberwar is hypocritical. “It’s a hypothetical attack,” Libicki said. “The level of criticism is going to be low.”

Another view — Peter Singer at the New America think tank (and author of a book on cyber war) sees a four-part motive for the information being disclosed: 1. to shape perceptions before someone else leaks it; 2. to warn Iran about what might happen if it backslides on the nuclear deal; 3. to demonstrate the Obama administration isn’t being “soft” on Tehran; and 4. to send a signal of strength as deterrence.

JUSTICE ISN’T BLIND — “The Supreme Court is expected within weeks to grant a Justice Department request to allow federal judges to issue warrants for remote searches of Internet-connected computers even if they are located outside their districts, potentially even outside of the United States,” Dave writes for Pros. Justice is seeking to amend Rule 41 of criminal procedure. While government officials say it’s a common-sense update, others — including some on Capitol Hill — warn that the change raises major constitutional and privacy concerns.

SO IT BEGINS — The Homeland Security Department published the first four implementing documents Tuesday required under last year’s information sharing law, and at least one privacy organization isn’t pleased. The civil liberties guidelines “confirm many of our worst fears,” Neema Singh Guliani, legislative counsel for the American Civil Liberties Union, told MC. They show that companies can “share personal information of consumers” and that the data “can be used by law enforcement agencies for purposes that extend far beyond cybersecurity.” Not everyone is unhappy: One congressional aide said that “while we’re still reviewing, everything appears to be in order,” and DHS Secretary Jeh Johnson hailed the documents as a “significant step forward.”

HELD FOR RANSOM — The ransomware attack that brought a Hollywood hospital to a grinding halt over the weekend should be a stark reminder of how hackers can wreak havoc in the real world, Paul Ferrillo, an attorney with Weil, Gotshal and Manges, tells MC. “[This] is a … hospital with patients that they’re serving and rather than acceding to the demands of the attackers, they’ve decided not to pay and therefore potentially sacrificing care,” said Ferrillo, who works in the firm’s cybersecurity practice. Using ransomware, hackers can lock and encrypt a target’s files until the victim pays for them to be unlocked. It’s not clear how often hospitals are hit with ransomware since some likely pay to make the problem quietly disappear. The attack on Hollywood Presbyterian Medical Center has left the hospital unable to perform some functions such as CT scans and forced it to transfer some patients elsewhere.

Last month, ransomware hackers struck another hospital, the Titus Regional Medical Center in Mount Pleasant, Texas, according to local news reports. Experian’s 2015 Data Breach Industry Forecast warned that health care cyberattacks are likely to increase as hospitals digitize additional records. Ferrillo says companies should patch software vulnerabilities, back up critical information at a separate location and have an incident response plan. Small and medium-size hospitals may be particularly vulnerable to ransomware because they think they’re less likely to be targeted, he said.

APPLE UNLOCKING CASE STIRS — Apple is urging a federal judge to issue an opinion in a case featuring a prosecution request for the company to unlock one of its encrypted smartphones. In October, Magistrate Judge James Orenstein wrote that existing law doesn't give police explicit authority to force manufacturers to do that. An 18th-century law known as the All Writs Act, for example, bars orders that impose upon parties an “undue burden.” Apple argued that unlocking the phone would be such a burden, since it would effectively conscript the company as a government agent.

Thedefendant whose iPhone sparked the case pleaded guilty last fall to meth distribution charges. Yet prosecutors told Orenstein they still wanted the iPhone’s contents, since the investigation was ongoing and the defendant had yet to be sentenced. Now Apple agrees that “this matter is not moot,” as it said in a Friday court filing. Orenstein is well positioned to resolve the key legal question, wrote Apple attorney Marc Zwillinger. “Doing so would be more efficient than starting the debate anew when the government attempts to use the same methods and make the same arguments in another court,” he said. Ruling in Apple’s favor could have symbolic sway but little practical effect since the company says every iPhone that’s upgraded to the current operating system since September 2014 can’t be remotely unlocked. Read Zwillinger’s filing here.

Meanwhile, a separate U.S. magistrate is ordering Apple to help unlock an iPhone used by one of the perpetrators of the San Bernardino, Calif., mass shooting. Troubled by the government's demands, Apple's Tim Cook responded in an early-morning message to customers here.

COLLATERAL DAMAGE — If 2014 was the year that data breaches went mainstream, then 2015 was the year of “collateral damage,” according to Hewlett Packard Enterprise’s 2016 Cyber Risk Report. That’s how HP refers to individuals whose privacy was compromised even though they never dealt directly with the entity that was breached. Examples: friends and relatives of people who went through the Office of Personnel Management security clearance process and loved ones of clients of the Ashley Madison adultery service.

MARK YOUR CALENDARS — The Defense Information Systems Agency will host two briefings Monday for vendors interested in bidding on contracts for milCloud 2.0. MilCloud is a suite of computer cloud services for classified and unclassified Pentagon projects. The agency recently posted the first contracting notice for the updated cloud service.

EVEN THIS GEEZER — This morning, you’ll finally get the chance to ask Director of National Intelligence James Clapper all your cybersecurity questions, on … Tumblr? Yes, Tumblr, intelligence community boss Clapper said in a self-deprecating alert Tuesday. “A few years ago, I confess that I didn’t know what a Tumblr was. But like I said, times change,” he wrote. “The IC is adapting to our world - even this geezer.”

REPORT WATCH

— An IBM survey of corporate executives out today found that 70 percent believe rogue individuals are the primary hacking threat while actually 80 percent of such breaches are the work of organized crime rings.

— A hack that took down Amazon Web Services could affect nearly 40 percent of media and entertainment companies, according to security ratings company BitSight Technologies.

QUICK BYTES

— The New York Times received records suggesting the NSA collects less Web data than previously believed.

— “Researchers say they have discovered a widespread vulnerability in Linux open source software that allows hackers to remotely seize control of affected computers.” POLITICO Pro.

— A California attorney general study on data breaches that were reported to the office found that 49 million records were compromised between 2012 and 2015.

** A message from the Auto Alliance: Cybersecurity is a top priority of automakers. Today’s vehicles are benefiting from a wave of technology innovation, making vehicle cybersecurity a critical focus for the future of the connected vehicle. Auto engineers are incorporating security solutions into vehicles from the first stages of design and production, and the testing never stops. Automakers have joined together to form a global information sharing community — the Automotive Information Sharing and Analysis Center (Auto-ISAC)— to enhance cybersecurity awareness and collaboration across the global automotive industry, share ideas and solutions, and participate in forums to address emerging issues. Learn more here: http://bit.ly/2uOslA4 **

Authors:

About The Author

Tim Starks has written about cybersecurity since 2003, when he began at Congressional Quarterly as a homeland security reporter. While at CQ Roll Call, he mainly covered intelligence, but he also had stretches as a foreign policy reporter and defense reporter. In 2009, he won the National Press Club's Sandy Hume Memorial Award for Excellence in Political Journalism.

He left CQ Roll Call in March of 2015. Before coming to Politico he spent several months freelancing, writing for the Economist, the New Republic, Foreign Policy, Vice, Bloomberg and the Guardian.

He grew up in Evansville, Ind. and graduated from the University of Southern Indiana with a degree in print journalism. His first full-time reporting job was covering city hall for the Evansville Press, the former afternoon daily. He was a Pulliam Fellow at the Indianapolis Star, and participated in the Politics and Journalism Semester at the chain of newspapers anchored by the Las Vegas Review-Journal. He also was the Statehouse Bureau Chief at the Evansville Courier & Press and established the Washington bureau of the New York Sun. Some of his other freelance work has been for the Chicago Tribune, Glamour, Deutsche Welle, Ring and BookForum.

He is the founder of The Queensberry Rules, dubbed an "indispensable boxing blog" by the Wall Street Journal. He's also fond of fantasy basketball and real-life basketball — he is from Indiana, after all — and gets way too bent out of shape over people rooting against the home team or not walking on the right side of the sidewalk.